Originally Posted by
Ms. Daisy
Apparmor won't help - a "feature" of java is that it allows remote code execution inside of java. Will apparmor stop java from executing java? :/
After the Apparmor for Firefox is enforced, I issued the following command and it displayed the result as the following :
Code:
apparmor module is loaded.
21 profiles are loaded.
21 profiles are in enforce mode.
/sbin/dhclient
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//launchpad_integration
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince-thumbnailer//sanitized_helper
/usr/bin/evince//launchpad_integration
/usr/bin/evince//sanitized_helper
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/firefox/firefox{,*[^s][^h]}
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/sbin/cupsd
/usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/lib/telepathy/mission-control-5 (1992)
/usr/sbin/cupsd (801)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Then, I further checked the following file :
Code:
sudo nano /etc/apparmor.d/abstractions/ubuntu-browsers.d/java
I find out that almost all the components of the Java is allowed to read only but except the binary of Java itself.
To confirm if the Apparmor for Firefox is workable for the vulnerability, I need to set up a lab to test. You will be informed as soon as possible.
Samiux
Bookmarks